A Non-Custodial wallet, Atomic Wallet, being compromised

[virasog]

....This is really concerning that Atomic Wallet was compromised in the history and also they are deliberately scamming their users but still, they are able to run their business. 

You can show people the info but you can't make them think.

Look at how many people sill use some of the crypto casinos that have pages and pages of complaints here and yet they gamble and then can't get their BTC out and them open up yet another post in the Scam Accusations section. Which does not matter since the next person is still going to go there and gamble.....

-Dave

The number of people reading this thread or posts on Atomic Wallet vulnerability are very few as compared to people who use Atomic Wallet. They may have got the information about this wallet through google search or social media and they aren't aware about the history of this wallet. Consider so many new people jumping into the crypto space, we don't expect them to learn the history of the wallets. They will just opt for it as soon as some influencer may recommend it or there is any promotions etc.

This is the reason many scams still continue their business despite scamming people, because people do not care to do due diligence before using any wallet. Same goes for the gambling sites too.

[ABCbits]

~~~

Sounds a bit far fetched to me. Why would a company out-source code development knowingly to such an evil group that you can't really control (or I misunderstood you completely)?

More plausible would be an infiltration attempt of such state controlled hackers, offering affordable coding manpower but hiding their real origin. I don't want to know how many "moles" work in software companies where code quality isn't highest priority. Just my shower thought...

This conversation reminds me of when Saudi Arabia spy infiltration Twitter to steal sensitive data on their critic[1]. Even so, i still think it's far fetched because,
1. North Korea is far less wealthy.
2. Company is less likely to outsource important piece of their software or infrastructure.
3. AFAIK Atomic Wallet isn't that popular.

[1] https://en.wikipedia.org/wiki/Saudi_infiltration_of_Twitter

[enquirer]

It's sad news, we thought that using a non-custodial wallet is safe, in fact, there's no really safe over the internet.
Just wanted to know now how much worth was being stolen by hackers, I saw comments on Twitter, other wallets are fine and some are drained out I start thinking now of what version of the wallet and what software they use.

I think should also be visible in the Beginners and Help section to warn newbies out there and start importing their wallets to those who are not yet affected.  Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.

About $100m lost total. Some users lost millions. I lost $270k.
A specific version was affected. Anyone who logged in using that version, and had more than ~$20k in the wallet was drained.
I had several different coins, they only took coins with significant amounts, and left the small amounts untouched.

They made an update to June 3rd Event Statement the other say.
Still says  'not our fault, looking in to it'

I would be interested to find out what math they used exactly to calculate that only 0.1% atomic users got affected by this issue  
In best case this can only be people who contacted them and reported loss of coins with transactions they didnt make, and nobody knows how many people never contacted atomic amateurs.
New statement can be used for bitcoin wallet: not open source, not your coins.

Open source is not a panacea. AW is an Electron app, written in JavaScript. Those JavaScript programs have hundreds of packages imported through npm. It's all open source, but nobody really checks those packages or who wrote them. And any package can be updated with malicious code at any moment.

[FinneysTrueVision]

Ser, you didn't know? It's actually common practice to out-source programming jobs or hire coders remotely in the modern era of software development.

There's a hiring joke "process" that make applicants say "I hate Kim Jong Un" or some sort of joke about Kim Jong Un, and if the applicant refuses, then he's most probably a North Korean agent trying to get in the company.

Atomic Wallet was always poorly designed and had many flaws, which they never bothered to fix. Their creators were always the kind who I would not be surprised if they took shortcuts and hired the cheapest developers or outsourced some important things to an unknown team without an established reputation. We might never know how things happened because they have intentionally withheld details and have never released a postmortem, like is the case with almost every major hack. 

[DaveF]

They made an update to June 3rd Event Statement the other say.
Still says  'not our fault, looking in to it'

I would be interested to find out what math they used exactly to calculate that only 0.1% atomic users got affected by this issue  
In best case this can only be people who contacted them and reported loss of coins with transactions they didnt make, and nobody knows how many people never contacted atomic amateurs.
New statement can be used for bitcoin wallet: not open source, not your coins.

Open source is not a panacea. AW is an Electron app, written in JavaScript. Those JavaScript programs have hundreds of packages imported through npm. It's all open source, but nobody really checks those packages or who wrote them. And any package can be updated with malicious code at any moment.

Yep, I have said it sooooo many times but I'll put it here once again:

There are countless open source apps out there run by millions and millions of people that have still had major security vulnerabilities in them for years. Open souure does not mean shit in terms of security. All it means that if people want to and have the ability to understnd it they can check what is going on. Most people don't since unless you fully understand every function and every step you can't be sure that the one section you didn't fully comprehend was the bad one.

Examples sshd and openssl 2 things that you know run on 90% of the servers on the internet: https://www.logpoint.com/en/blog/the-story-of-regresshion/

https://www.threatintelligence.com/blog/openssl-vulnerabilities

And lets not forget the Apache log4j screw up: https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance

Also lets not forget I can open source a wallet that automatically sends everything from everyone's wallet into mine once a year.  Could even put comments in the code as to what it does. People are going to still install / use it if I promote it enough because too many people don't read the code.

-Dave

[Cricktor]

Open-source combined with reproducability(!) of executables means only, anybody can check how the program operates. If nobody does, bugs, insecure and/or evil code can hide. But at least someone can make an audit and look behind the curtain.

Closed-source is way more difficult to assess because you have the burden of reverse-engineering.

I will certainly never touch Atomic Wallet again, all handling of the last incident(s) were scetchy, which is probably too polite to put it that way. This wallet has no reputation anymore and should in my opinion be considered a scam in disguise. You can wait for the next incident to happen.

[Wind_FURY]

Ser, you didn't know? It's actually common practice to out-source programming jobs or hire coders remotely in the modern era of software development.

There's a hiring joke "process" that make applicants say "I hate Kim Jong Un" or some sort of joke about Kim Jong Un, and if the applicant refuses, then he's most probably a North Korean agent trying to get in the company.

Atomic Wallet was always poorly designed and had many flaws, which they never bothered to fix. Their creators were always the kind who I would not be surprised if they took shortcuts and hired the cheapest developers or outsourced some important things to an unknown team without an established reputation. We might never know how things happened because they have intentionally withheld details and have never released a postmortem, like is the case with almost every major hack. 

If that's actually true, then we absolutely should NOT touch Atomic Wallet and all the other software built by this team. They're hiring process might actually have let some bad actors work on their software, AND it could actually have backdoors and other built-in exploits.

I know that this post might be mere FUD because of the lack of evidence, BUT explain the unexplainable hacks against random users of this wallet.

[Z-tight]

Also lets not forget I can open source a wallet that automatically sends everything from everyone's wallet into mine once a year.  Could even put comments in the code as to what it does. People are going to still install / use it if I promote it enough because too many people don't read the code.

True, but there is still a chance that some people are going to read the code and alert the rest of the community about the vulnerability, however, if it was closed source, there is no chance of that happening and people's wallets will keep getting drained and they will be waiting for solutions and answers from you the dev, lol.

I get it that open source does not automatically mean safe, but if it is an open source and well reviewed software, it should be better than most closed source options, with the users good opsec of course.

[Wind_FURY]

Also lets not forget I can open source a wallet that automatically sends everything from everyone's wallet into mine once a year.  Could even put comments in the code as to what it does. People are going to still install / use it if I promote it enough because too many people don't read the code.

True, but there is still a chance that some people are going to read the code and alert the rest of the community about the vulnerability, however, if it was closed source, there is no chance of that happening and people's wallets will keep getting drained and they will be waiting for solutions and answers from you the dev, lol.

I get it that open source does not automatically mean safe, but if it is an open source and well reviewed software, it should be better than most closed source options, with the users good opsec of course.

For software usages such as this new asset class we call "cryptocurrencies" - which derives its ethos from decentralization, censorship-resistance, permissionlessness, and "don't trust, verify", then OF COURSE it would only make sense if the network/protocol its built on is Open Source.

  ¯\_(ツ)_/¯

Plus an Open Source license helps with Bitcoin's adoption because it's permissive and it doesn't restrict its use, development, and distribution.

[Forsyth Jones]

True, but there is still a chance that some people are going to read the code and alert the rest of the community about the vulnerability, however, if it was closed source, there is no chance of that happening and people's wallets will keep getting drained and they will be waiting for solutions and answers from you the dev, lol.

I get it that open source does not automatically mean safe, but if it is an open source and well reviewed software, it should be better than most closed source options, with the users good opsec of course.

Open source is one of the most important elements for a Bitcoin wallet, but it doesn't guarantee security if no one who understands code has inspected it or if the wallet isn't well-known. The ideal would be to 'trust while being suspicious', the famous mantra: don't trust, verify!

In other words, try open source wallets that are well-known in the community, have good reviews and have been inspected by the community.

I've never downloaded and would never try Atomic Wallet, it reminds me too much of what happened with Jaxx.

The only multi-coin wallet I'm somewhat familiar with is Coinomi, though I hope they open their code one day. That would make it much better.